CrossBeam X45 to12400 GAiA 77.10 migration

[techy777]

We are planning to migrate from X45 Crossbeams to 12400 GAiA 77.10.
The management server is a Windows based VM that runs .70.

Can I migrate it to 77.10 and be able to manage the new gateway(12400-77.10) with the same management server once I upgrade it to 77.10?
Is there any caveats that I need to do?
Is the database with all the rules would upgrade as well when I do two jumps 70-75, 75-75.40, 75.40-77.10?

Thanks in advance.

[mcnallym]

The recommended process would be

R70 - R75
R75 - R77
R77 - R77.10

When you upgrade the Management Server then yes the Database, and Rules, Policy etc are upgraded with it.
It will still contain the objects and for Check Point then the only object that is changed to the new version is the Management Server object.

R77.10 can manage back to R65 still at the moment.

In terms of caveats then make sure you have a backup of the Management Server first of all.
Also make sure you disable any SNMP running on the box
Make sure that commands are run as an Administrator

You would then end up with the Windows VM on an R77.10 Installation.

Personally would be more inclined to

Advanced Upgrade Export from R70 to R70.50, and then import into a new VM with R70.50 installed ( same IP and hostname )
Advanced Migrate Export from R70.50 to a new VM on R77.10, also migrating to Gaia OS at the same time. ( same IP and hostname )

That way you still have an untouched origional R70 Windows VM if need to roll back.

[techy777]

Thank for your advice on this. We went from 70 to 75; 75 to 77; 77 to 77.10 via CLI in Windows, it said it successfully installed it but it is not there...puzzled...

[SVXDan83]

I realize I am reviving a very old thread, but I am going to be in a very similar situation. I have a pair of X80's that we are looking to migrate to Check Point Appliances running GAIA. This is literally the only thread I can find on the Internet of anyone who documented doing this!

Were you running the X45 in VSX mode? If so, what was your migration process? I've seen many documents and posts referring to using the vsx_util command to remap the Interfaces, upgrade the management database, etc.... However, I have been unable to get the new gateways to provision in my lab. If you migrated from Crossbeam to GAIA with VSX, and were willing, I'd love to pick your brain on a few details.

Thanks in advance!

-Dan

[jflemingeds]

I realize I am reviving a very old thread, but I am going to be in a very similar situation. I have a pair of X80's that we are looking to migrate to Check Point Appliances running GAIA. This is literally the only thread I can find on the Internet of anyone who documented doing this!

Were you running the X45 in VSX mode? If so, what was your migration process? I've seen many documents and posts referring to using the vsx_util command to remap the Interfaces, upgrade the management database, etc.... However, I have been unable to get the new gateways to provision in my lab. If you migrated from Crossbeam to GAIA with VSX, and were willing, I'd love to pick your brain on a few details.

Thanks in advance!

-Dan

I don't know if Valeri Loukine has stopped hanging out, but it might not hurt to ping him. He does hang out in the Checkpoint Experts group on linkedin. Wouldn't hurt to ask there.

That being said, whats going south on the lab?

[SVXDan83]

Sorry this took so long to respond! For some reason, I didn't get an email telling me the thread had been updated. Anyways...

The slightly longer version of the story is that we have not found a definitive "guide" for migrating Crossbeam / XOS VSX to Checkpoint GAIA VSX. I realize the install base of XOS is relatively small compared to other platforms and such a document may not even exist internally to Checkpoint. However, the closest thing I have been able to find is an older document named "How to Migrate an IPSO VSX Cluster to Gaia R75.40VS" (http://downloads.checkpoint.com/dc/d...d.htm?ID=21103).

The principles in this document seem relatively similar. It outlined the steps to allow you to remap the Interfaces, change some cluster parameters, etc... However, using this guide as a rough framework, I cannot get the vsx_util script to complete successfully against the 5800 Gaia appliances in our lab. We have an X80 running a clone of our production X80's config in the lab along with a VM clone of our production Management Server. We brought in two 5800's to test different migration strategies.

So far, I have tried it two different ways. The first method was shutting the X80 completely down & giving the 5800's the same IPs that the Crossbeam gateways had and using vsx_util reconfigure to re-provision the existing VSX Cluster Member objects onto the 5800 appliances. This method would establish SIC and begin provisioning the VS's before it would just terminate with a very nondescript error that the IP of the Gateway was unreachable.

The second method was to try to use vsx_util to add one of the 5800 boxes to the existing Cluster that already contained the Crossbeam VSX Cluster members. In this scenario, I was hoping I could join the two 5800's and then go back and remove the Crossbeam members once it finished. Unfortunately, I don't believe we got any further with the provisioning than we did using Method #1.

At the end of the day, our goal is to be able to perform this migration with as close to zero down time as possible. I fully realize that may not be possible, but its what we are hoping for! I am also looking at the VSX provisioning tool as a potential solution. Based on the documentation, it seems like I should be able to dump the whole VSX cluster's config to a text file. Which then, possibly, I could just modify to match up with 5800's configuration. Then, when it came to converting, we could just run the scripts on the CP appliances and shut the X80 off. Off course, that didn't go as planned, either! When I run any command against the XOS VSX Cluster, I get an error indicating "Tool doesn't support operations on VSX object". So, I'm wondering if this tool only works against GAIA VSX clusters? I opened a SR with Checkpoint today on this issue.

So, sorry for all the rambling, but that is kind of where we are at. Moving forward, we are pretty sure we need to vacate the X-Series platform. While it has been unbelievably stable, support has always been a big problem and with Symantec's acquisition of Blue Coat, I don't see how that is going to get any better. I'd imagine we aren't the only users in this position, so I am very interested in hearing any thoughts from anyone who's performed a similar migration.

Thanks!

-Dan

I don't know if Valeri Loukine has stopped hanging out, but it might not hurt to ping him. He does hang out in the Checkpoint Experts group on linkedin. Wouldn't hurt to ask there.

That being said, whats going south on the lab?